STIGQter STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper perimeter router must be configured to block all packets with any IP options.

DISA Rule

SV-217040r639663_rule

Vulnerability Number

V-217040

Group Title

SRG-NET-000205-RTR-000015

Rule Version

JUNI-RT-000350

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

This requirement is not applicable for the DoDIN Backbone.

Configure the router to drop all packets with IP options.

[edit firewall family inet filter INBOUND_FILTER]
set term DROP_IPOPTIONS from ip-options any
set term DROP_IPOPTIONS then discard
insert term DROP_IPOPTIONS before term BLOCK_BOGONS

Check Contents

This requirement is not applicable for the DoDIN Backbone.

Review the router configuration to determine if it will block all packets with IP options.

firewall {
family inet {
filter INBOUND_FILTER {
term DROP_IPOPTIONS {
from {
ip-options any;
}
then {
syslog;
discard;
}
}
term BLOCK_BOGONS {
from {
source-prefix-list {
BOGON_PREFIXES;
}
}
then {
syslog;
discard;
}
}
term ALLOW_ABC {



term DENY_ALL_OTHER {
then {
log;
syslog;
reject;
}
}
}

If the router is not configured to drop all packets with IP options, this is a finding.

Vulnerability Number

V-217040

Documentable

False

Rule Version

JUNI-RT-000350

Severity Override Guidance

This requirement is not applicable for the DoDIN Backbone.

Review the router configuration to determine if it will block all packets with IP options.

firewall {
family inet {
filter INBOUND_FILTER {
term DROP_IPOPTIONS {
from {
ip-options any;
}
then {
syslog;
discard;
}
}
term BLOCK_BOGONS {
from {
source-prefix-list {
BOGON_PREFIXES;
}
}
then {
syslog;
discard;
}
}
term ALLOW_ABC {



term DENY_ALL_OTHER {
then {
log;
syslog;
reject;
}
}
}

If the router is not configured to drop all packets with IP options, this is a finding.

Check Content Reference

M

Target Key

4032

Comments